ESET: cyber-criminals exploited known vulnerability in Microsoft IIS 6.0 to install modified Monero mining software

BRATISLAVA, 03-Oct-2017 — /EuropaWire/ — ESET, a leading global cyber security company, has discovered a new threat whereby attackers infected vulnerable Windows web servers with a malicious cryptocurrency miner in order to mine Monero – a newer cryptocurrency alternative to Bitcoin. Microsoft has released the update, but many servers remain outdated to this day.

To achieve this, cyber-criminals modified legitimate, open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to covertly install the miner on unpatched servers. When creating the malicious mining software, the criminals did not apply any changes to the original open source codebase, apart from adding hardcoded command line arguments of the attacker’s wallet address and the mining pool URL. This, ESET states, could have taken the cyber-criminals just minutes to complete.

Money-making malware

Malware experts at ESET have reason to believe this operation has been happening since May 2017. During this time, the cyber-criminals behind the campaign have created a botnet of hundreds of infected machines and made over $63,000 worth of Monero.

“While far behind Bitcoin in market capitalization, there are a number of reasons why attackers are mining for Monero,” said Peter Kálnai, ESET Malware Researcher. “Features such as untraceable transactions and a proof of work algorithm called CryptoNight, which favours computer or server central processing units, make the cryptocurrency an attractive alternative for cybercriminals. Bitcoin mining, in comparison, requires specialised mining hardware.”

Exploiting vulnerabilities

This type of malicious activity is an example of how minimal skill and low operative costs can be sufficient for causing a significant outcome. In this case, it has been the misuse of legitimate open-source cryptocurrency mining software and the targeting of old systems likely to be left unpatched.

In July 2015, Microsoft ended its regular update support for Windows Server 2003 and did not release a patch for this vulnerability until June of this year, when several critical vulnerabilities for its older systems were discovered by malware authors.

Despite the end-of-life status of the system, Microsoft did patch these critical vulnerabilities in order to avoid large-attacks such as WannaCry occurring once again. However, it has been well-documented that the automatic updates do not always work smoothly and this could impact the ability to keep Windows Server 2003 up-to-date.

“As a significant number of systems are still vulnerable, users of Windows Server 2003 are strongly advised to apply the security update, KB3197835, and other critical patches as soon as possible,” said Michal Poslušný, ESET Malware Analyst. “If automatic updates fail, we encourage users to download and install the security update manually to avoid falling victim to malicious attacks.”

To read more, please visit WeLiveSecurity.

About ESET
 For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedInFacebook and Twitter.

SOURCE: ESET, spol. s r.o.

MEDIA CONTACT

tel: +421 (2) 322 44 111
email: globalpr@eset.com

 

Leave a Reply

Your email address will not be published. Required fields are marked *